Configuring hardware cryptography (SC14)

Background information on the Hardware Cryptography configuration

Hardware cryptography varies between different machines. Depending on how the features of hardware cryptography are configured, significant performance gains can be achieved. Newer machines than the z10, such as the zEC12 or z13®, provide even greater advantages for hardware cryptography and so should be strongly considered if using SSL. The cryptographic hardware features available on the System z10® EC include a CP (Central Processor) Assist for Cryptographic Functions (CPACF) and a Crypto Express2 (CEX2) feature.

CPACF provides encryption accelerator functionality on a quad-core chip, which is designed to provide high-speed cryptography. The CEX2 feature combines the functions of Coprocessor mode (for secure key encrypted transactions) and Accelerator mode (for SSL acceleration) in a single feature with two PCI-X adapters. For this scenario the CEX2 feature is configured with one Coprocessor and one Accelerator.

CPACF is started using the Integrated Cryptographic Service Facility (ICSF). ICSF is the software on a IBM z/OS system that serves as an interface with the hardware where keys can be stored. For further information about ICSF, see: IBM z/OS Cryptographic Services ICSF Overview.

Certificate and key storage

In this scenario the SSL certificates are stored in RACF®, and the private key in ICSF. Certificates and keys are generated using IBM RACF RACDCERT commands on TSO. This scenario uses the SSL_RSA_WITH_AES_128_CBC_SHA cipher.

Procedure

Follow the instructions in the following topics to configure and test hardware cryptography.